search

corona-warn-app / cwa-app-android

Native Android app using the Apple/Google exposure notification API. The CWA development ends on May 31, 2023. You still can warn other users until April 30, 2023. More information:
https://coronawarn.app/en/faq/#ramp_down
Apache License 2.0
2.44k stars 495 forks source link

Digital certificate for rapid test is issued with "Standardized surname/forename" with only first letter #3670

Closed jkrwdf closed 2 years ago

jkrwdf commented 3 years ago

Avoid duplicates

Technical details

Describe the bug

The digital EU COVID-19 certificate which is issued after a rapid test contains in the CBOR elements "nam/fnt" and "nam/gnt" only the first letter of the respective content, for example "M" when the name is "Mustermann".

Steps to reproduce the issue

I created a "Schnelltestprofil" with my full data and underwent a rapid test at a test location which is fully integrated (reads QR code of profile, sends results to CWA, supports creation of digital EU certificate for rapid tests).

After receiving the test result and the certificate, I decoded the certificate content (strip "HC1:", Base45 decode, ZLIB deflate, CBOR playground).

The data about the name of the testee are exemplary:

"nam": {"fnt": "M", "fn": "Mustermann", "gnt": "E", "gn": "Erika"}

Expected behaviour

Elements "fnt" and "gnt" are expected according to https://ec.europa.eu/health/sites/default/files/ehealth/docs/covid-certificate_json_specification_en.pdf to contain the

"Surname(s) of the holder transliterated using the same convention as the one used in the holder’s machine readable travel documents"

in the case above: MUSTERMANN and ERIKA.

Additional context

Remark: In my digital vaccination certificates, those elements are populated correctly, therefore I assume it is the CWA which transfers those data incorrectly to the RKI for signing.

vaubaehn commented 3 years ago

@jkrwdf wrote:

In my digital vaccination certificates, those elements are populated correctly, therefore I assume it is the CWA which transfers those data incorrectly to the RKI for signing.

For the vaccination certificates, another system is used: IBM/Ubirch for data entry (by medical staff) in web-frontend and processing in backend, next to 3rd-party-solutions.

For the RATs T-System's system is used before test data are forwarded for later creating dcc/signing: entry of data by testcenter staff in web-frontend and further processing in backend, next to 3rd-party-solutions that provide data to backend via API.

For the RATs: currently Standardised Names are entered manually by testcenter staff, when entered in front-end. Standardised Names that are provided via API by 3rd-party applications are not validated.

This means, currently Standardised Names are likely often subject of error (typos, wrong format, etc...)

This will lead to problems soon, when CWA (or other wallet apps like CovPass) rely on standardised names to match a number of different certificates to a single person. In that case, for every different standardised name a new person would be created inside the app.

Only T-Systems can adjust here.

Related issue: https://github.com/corona-warn-app/cwa-quick-test-frontend/issues/185

/cc @ascheibal @ggrund-tsi /cc @mlenkeit @thomasaugsten

(/FYI @d4rken - here we go 😉 )

vaubaehn commented 3 years ago

By the way: the reported issue here also has the potential to create longer queues at border control, in case other countries use their own verifier apps that display standardised names by default to compare with id/passport...

mlenkeit commented 3 years ago

I agree with @vaubaehn that this is most likely not a bug in the app itself.

The certificate is created by the rapid test provider. They may use the data from the rapid test profile to determine fnt and gnt, may enter the values manually, or may have some logic in place to do transliteration based on fn and gn.

@jkrwdf would you mind disclosing the rapid test provider via mail? This would allow us to follow up on the issue. You can send it to maximilian.lenkeit@sap.com.

mlenkeit commented 3 years ago

@jkrwdf thanks for sharing the name of the rapid test provider! It looks like the provider is indeed using cwa-quick-test-frontend. and affected by https://github.com/corona-warn-app/cwa-quick-test-frontend/issues/185. Until this is implemented, the provider would need to make sure that the ICAO names are entered correctly.

jkrwdf commented 3 years ago

Just got the 2.5.1 from Google Play Store and can now also play with the capability to scan RAT certificates via QR code in CWA.

The effect announced by @vaubaehn is directly appearing: Although the RAT certificate is issued to the very same person name, CWA visualizes it as separate entity in the "Certificates" tab, and I can now select via the slider "I am that person" whether I am "Erika Mustermann" from the vaccination certificate or "Erika Mustermann" from the RAT certificate :-)

docweirdo commented 2 years ago

On a similar note, I have two certificates in my name that are displayed belonging to seperate persons.

For one of them, the value of gnt is an improperly standardized name that contains a space character between two given names instead of a < character.

An issue like this could be probably fixed by an adjustment like this.

Is this an option or should one rather not try to tackle this kind of problem on the front end side?

dsarkar commented 2 years ago

@docweirdo thanks for your report. Could you provide the name of the issuer of the DCCs, we can then forward the info.

docweirdo commented 2 years ago

@dsarkar I am afraid this might be outside of your reach, the certificate was issued by the Ministry of Health of Israel.

Th-St commented 2 years ago

I have got a Rapid Test Certificate that is displayed as belonging to another person. In my case the letters "e" in my last name were replaced with "i" in the standardized name but correct in the non-standardized name.

What about if you consider it the same person if there is a match between an existing entry AND ((non-normalized first name AND non-normalized last name AND date of birth) OR (normalized first name AND normalized last name AND date of birth))

jkrwdf commented 2 years ago

The software which my primary testing center uses received an update 1-2 weeks ago.

Since then, the fields for the standardized forename and standardized surname are automatically populated from the scanned QR code data (yeah!) and no longer have to be filled out manually each time by the personnel.

The time of incorrectly issued test certificates ("X<<Y" or "Q<<Q") is therefore at least for me finally over and I think this issue can be closed.